Intel's Whiskey Lake Brings In-Silicon Meltdown And Foreshadow Fixes

Intel's disclosures during its Whiskey Lake launch yesterday left out one very important fact: The Whiskey Lake processors are the first to feature in-silicon mitigations for the Meltdown and Foreshadow vulnerabilities. Word surfaced earlier today from industry analyst Ashraf Eassa that Intel's new chips might support the new mitigations, and we followed up with Intel for confirmation.

Intel representatives confirmed that Whiskey Lake chips bring the first in-silicon mitigations to the consumer market, but the Amber Lake processors do not have the mitigations. The current Spectre and Meltdown mitigations, which Intel delivers via software and microcode patches, can reduce performance by up to 10% (based on workload) on newer hardware, with older hardware suffering even larger losses. The new mitigations, which are baked directly into the silicon, should reduce or even eliminate the performance impact.

Vulnerability

Whiskey Lake Mitigation

Cascade Lake Mitigation

Variant 1 (Spectre)

Operating System

Operating System/VMM

Variant 2 (Spectre)

Microcode + Operating System

In-Silicon + Operating System/VMM

Variant 3 (Meltdown)

In-Silicon

In-Silicon

Variant 3a

Microcode + Operating System

Firmware

Variant 4

Microcode + Operating System

Microcode + Operating System/VMM

L1TF (Foreshadow)

In-Silicon

?

The first wave of hardware-based fixes are limited, but Intel tells us that the in-silicon fixes will expand over time. Whiskey Lake processors will still need a combination of microcode and operating system patches for most variants, but now the Meltdown and L1TF Foreshadow are patched fully in hardware. That should reduce, or eliminate, any performance impact of these mitigations, but Intel hasn't shared further information.

The Cascade Lake data center processors marked the introduction of in-silicon patches, but those chips have a different set of protections than the consumer processors. For instance, Cascade Lake has in-silicon protection against Spectre V2, whereas the Whiskey Lake processors do not. Intel representatives indicate that over time those Spectre V2 protections will also come to consumer chips. The limited scope of the in-silicon patches reminds us that Intel, like the many other companies impacted by these vulnerabilities, is still in the early stages of addressing the issues.

Regardless, the new in-silicon mitigations may help to address future vulnerabilities, as new variants based on the same techniques used in Spectre and Meltdown continue to pop up on a regular basis. Intel isn't detailing the exact nature of the changes to the microarchitecture, and likely for a good reason. Like the rest of the industry, Intel is playing a game of cat and mouse with security researchers and malicious actors that range from nation-states to garden-variety hackers, so it wouldn't be wise to share too much information about the fixes.

We expect that Intel's other new processors, like the much-anticipated 9000-series models, will also have in-silicon mitigations, but we're awaiting confirmation.

I'm sure that they are also worried about fixing known issues and inadvertently creating others.

People die in car crashes (most often caused by malevolent actors breaking laws), the builder installs seat belts (and provides it free to the customer), the customer complains that it now takes longer to get in the car and it put a wrinkle in their dress.

Have any attacks using the Spectre / Meltdown weaknesses ever occurred in the real world ?

DavidC1

2012116 said:

Have any attacks using the Spectre / Meltdown weaknesses ever occurred in the real world ?

They are at this weird phase where its damned if you do, damned if you don't.

Errata and potential exploit exist. I mean computer code and hardware is incredibly complex. Do the security researchers wait and fix when the exploits cause real life impact, or do they proactively go about finding and fixing them? They often offer bounties so people can purposely look for exploits and bugs. However, if such bugs normally would have never been exploited, are they not doing more damage by doing so?

There's a saying in programming fixing one bug will create 99 different ones. That may be a bit extreme, and obviously said as a joke. But maybe not so far from reality.

PaulAlcorn

2012116 said:

<SNIP>
Have any attacks using the Spectre / Meltdown weaknesses ever occurred in the real world ?

Not that they know of, at least until the security researches released the code that made it so simple a script kiddie could pull off an attack.

It's such a strange situation, in ways. The security researchers almost look like the bad guys because they go about unearthing stuff that may have never been discovered and used. But then they share the code as a means to force vendors to patch stuff.

But, who can say these attacks weren't used in the past. What if a state actor, like China, had used this attack for a decade and no one knew? The crux of the issue is that the attacks are virtually undetectable, so we can't say they haven't been used. Or, perhaps they were being used, were discovered, and then some three-letter agency tipped off the security researchers so as not to expose a threat to national security. Stranger things have happened, for sure.

silverblue

(second time of having to post these, I should've known the login process eats most things that I type)

"During Intel’s briefing, a lot of noise was made about some of the features: 2x overall performance, 12x better WiFi, 10.5x transcoding. These seem like impressive numbers, until you realise that Intel is comparing the new parts to five year old machines (e.g. Haswell-U), and none of these performance figures factor in the Spectre and Meltdown updates (the new chips are not protected in hardware, for those wondering). Does anyone remember two years ago when Intel was comparing its latest platform against three year old machines?"

I've posted something similar in their comments section, hopefully somebody can clarify this point.

PaulAlcorn

267802 said:

(second time of having to post these, I should've known the login process eats most things that I type)
AnandTech says that neither Spectre nor Meltdown have been fixed in hardware in either Whiskey Lake nor Amber Lake, as per this paragraph at https://www.anandtech.com/show/13275/intel-launches-whiskey-lake-amber-lake
"During Intel’s briefing, a lot of noise was made about some of the features: 2x overall performance, 12x better WiFi, 10.5x transcoding. These seem like impressive numbers, until you realise that Intel is comparing the new parts to five year old machines (e.g. Haswell-U), and none of these performance figures factor in the Spectre and Meltdown updates (the new chips are not protected in hardware, for those wondering). Does anyone remember two years ago when Intel was comparing its latest platform against three year old machines?"
I've posted something similar in their comments section, hopefully somebody can clarify this point.

As stated in this article, Intel did not share this information at launch. However, Intel confirmed this to us directly, today. This is new information.

I'm sure Ian will update his article as time permits.

newsonline5000000

Bring in Fixes and add other backdoor bugs that will be discovered some years to come , repeat and rinse.

DGurney

So... how does your OS know you have a mitigated CPU, in order to resume normal operation and stop imposing the performance-robbing software mitigation?

stdragon

2423430 said:

So... how does your OS know you have a mitigated CPU, in order to resume normal operation and stop imposing the performance-robbing software mitigation?

It can probe the CPU to validate. The OS will take a backseat and abstain from implementing mitigation if it detects the CPU isn't vulnerable.

CPU microcode is distributed one of two ways. Either rolled into a BIOS update, or pushed up as a Windows Update. In fact, this month MS just released Intel provided Microcode in this months update KB4100347. You can can review the full list below. To obtain them, you just have to install Windows Updates as normal. No special action needs to be taken by you. And depending how old your system is, the microcode loaded by the OS could very well be newer than the version provided in BIOS, so the newest will supersede it